There may be a number of competing definitions and products already in the market and under development, but the current state of payments tokenization may not be as out of whack as some may think. That’s the assessment of the latest report from the Mobile Payments Industry Workgroup, whose members come from the Federal Reserve Banks of Boston and Atlanta and private-sector payments and technology firms.
The paper, entitled “Is Payment Tokenization Ready for Primetime?” examines the varieties of payments-tokenization services either in use or in development. “One thing we found is it’s probably not as disjointed as it looks to the world,” Marianne Crowe, vice president of the Federal Reserve Bank Boston, tells Digital Transactions News. “As we learned, there are different types of tokenization programs and they do different things.”
Some tokenization programs, like the one used in the Apple Pay mobile-payments service, are used when initiating a payment. Others, like those used by merchants to stand in for sensitive card data in their point-of-sale systems, have been available since the mid-2000s and are used post-authorization. Additionally, some tokenization programs are developed under the auspices of private organizations, such as vendors and the card brands, while others are based on the work of standards bodies.
As the payments industry prepares for an expected greater use of mobile payments, it has to counter consumer concerns over security. Tokenization of card data is central to that effort.
Monday, MasterCard Inc. announced it will offer tokenization services to merchants with app, e-commerce, and recurring-billing programs through its Digital Enablement Service.
Earlier this month Visa Inc. unveiled its Digital Enablement Program, a digital-payments service that relies on tokens.
The Mobile Payments Industry Workgroup hoped to shed some light on tokenization and help the various groups involved in its development understand the overall perspective, says Susan Pandy, director in the Payments Strategies Group at the Boston Fed.
“At the beginning of this, we understood there were so many interpretations and definitions of tokenization programs out there,” Pandy tells Digital Transactions News. “We wanted to understand the differences between the existing security tokenization programs and payments tokenization.”
Among the recommendations in the 51-page report is that communication be improved between emerging wallet providers, such as Apple Inc. and Google Inc., card issuers, and processors. By sharing more technical details, processors and security providers would be able to perform a strong security analysis of the tokenization programs, the report notes.
Other recommendations include developing guidelines for use of the EMV Payment Tokenization Specification from EMVCo; revisiting the card-present versus the card-not-present pricing structure to account for the person- or device-present concept; and developing a consumer identifier that merchants could use as a substitute for card-on-file data.
“This is how it looks today,” Crowe says. “It’s not perfect. It’s moving along, but it seems to be going in the right direction.”